Text widget adds extra slashes when edited by someone without the unfiltered_html capability
|Reported by:||jamescollins||Owned by:||azaozz|
(This bug was originally identified in WordPress Mu)
In , the stripslashes() call was removed from the text widget:
$text = stripslashes(wp_filter_post_kses( $widget_text['text'] ));
$instance['text'] = wp_filter_post_kses( $new_instance['text'] );
This bug will only affect users without the unfiltered_html capability.
In WP, admins and editors have this capability by default, so this bug hasn't been noticed.
In WPMU, users don't have the unfiltered_html capability (except site admins) so this causes extra slashes to be added when editing a text widget.
Donncha has just checked in a change in WPMU, and I think this change should be applied to WP as well.
You can see here that the wp_filter_post_kses() function adds slashes. So logically whenever this function is used, stripslashes() needs to be used as well.
If you remove the unfiltered_html capability from the administrator user role (using role manager or similar), you will see that when editing a text widget, the extra slashes are added.
Change History (9)
comment:4 follow-up: ↓ 6 Denis-de-Bernardy — 5 years ago
- Resolution fixed deleted
- Status changed from closed to reopened